b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    The Enterprise Systems Management\n                   Program Is Making Progress to Improve\n                  Service Delivery and Monitoring, but Risks\n                                   Remain\n\n\n\n                                      September 12, 2008\n\n                              Reference Number: 2008-20-161\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                              September 12, 2008\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 The Enterprise Systems Management Program Is\n                              Making Progress to Improve Service Delivery and Monitoring, but\n                              Risks Remain (Audit # 200720039)\n\n This report presents the results of our review to assess the efficiency and effectiveness of the\n Enterprise Systems Management (ESM) organization implementation and strategy. This review\n was part of our Fiscal Year 2008 audit plan for reviews of the Internal Revenue Service\xe2\x80\x99s (IRS)\n Modernization and Information Technology Services organization activities.\n\n Impact on the Taxpayer\n The IRS has begun an ESM initiative to improve the effectiveness and efficiency of managing\n computer systems operations and the availability of business systems services on an\n enterprise-wide basis. The initiative is making progress toward accomplishing its goals.\n However, we found that the ESM initiative incurred schedule slippage and $491,952 in\n additional costs. By improving management practices and controls, this initiative could make\n better use of taxpayer dollars by reducing the frequency and duration of computer system\n outages, improve service availability for customers, and reduce IRS costs associated with owning\n and managing software tools.\n\n Synopsis\n The overall strategic direction for the ESM organization is to be an enterprise-level organization\n with centralized control over software tools and processes1 based upon Information Technology\n\n 1\n  ESM-related software tools and processes are used to provide computer systems support and services such as tool\n administration, systems monitoring, and change control.\n\x0c                   The Enterprise Systems Management Program Is Making Progress\n                     to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nInfrastructure Library concepts.2 To accomplish this strategy, the following three ESM projects\nwere established: End-to-End Business Systems Monitoring Project; Tools Centralization and\nConsolidation Project; and Organization and Operations Design Project.\nIn June 2007, the IRS began the process of making organizational changes to improve service\ndelivery effectiveness and efficiency. The ESM organization maintains a useful interactive web\nsite where IRS personnel can obtain the results and reports of its monitoring activities. Overall,\nthe three ESM projects are making progress toward the goals of providing better service and\nreducing costs. However, additional work is needed to improve ESM organization management\npractices and controls.\nThe IRS did not always provide funding for contractor support for the ESM projects in a timely\nmanner. Funding for contractor support lapsed in July 2007 and a subsequent contract was not\nawarded until August 29, 2007. Management commented that it took approximately 2 months to\nget the new contractors familiar with the work previously completed. We reviewed contractor\ninvoices from September 4 through October 31, 2007 and determined that the IRS spent\n$491,952 just to get the new contractors familiar with what had been previously provided.\nSubsequently, the Chief Information Officer approved $875,000 for ESM contractor support\nthrough May 2008. However, as of June 26, 2008, additional funding had not been approved.\nIRS management stated that funding problems occurred because the demand for funds is always\nmuch greater than the supply, and funding requirements are based on both available resources\nand IRS project prioritization.\nThe ESM projects did not always have adequate executive steering committee oversight to\nensure that issues and risks were resolved in a timely manner. It was not clear which\norganization was responsible for overseeing the ESM projects. ESM organization management\nstated that the Information Technology Service Management organization provided oversight of\nthe ESM projects based on a verbal agreement. However, this organization\xe2\x80\x99s management\nadvised us that the Infrastructure Executive Steering Committee provided the formal governance\nfor the ESM projects. Currently, the ESM initiative is scheduled to go before the Infrastructure\nExecutive Steering Committee in July 2008.\nIn addition, significant ESM project decisions and events were not always documented. For\nexample, the End-to-End Business Systems Monitoring Project did not have any written\ndocumentation showing the four specific applications recommended for future work or to\nsupport who approved the applications and when they were approved because the decisions were\nverbal. In addition, the tool subsets selection process and changes to the selection process were\nnot documented. During the audit, management implemented corrective actions to address the\ndocumentation issue.\n\n\n\n2\n    See Appendix V for a glossary of terms.\n                                                                                                     2\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nThe Tools Centralization and Consolidation Project is collecting data on software tools within\nthe Modernization and Information Technology Services organization and entering the data into\na database called the Tool Repository. As of April 15, 2008, the Tool Repository listed\n240 tools. The numbers of licenses owned and/or used were incomplete for 112 (47 percent) of\nthe tools. The number of licenses owned and/or used is not readily available or easily accessible\nbecause the IRS does not have a database or software license tracking tool to assist in identifying\nand tracking software used on its servers. Without the ability to track software licenses and\ndistribution, the IRS risks paying for additional licenses when unused licenses were available for\ndistribution or paying for licenses that are not needed.\n\nRecommendations\nThe Chief Information Officer should ensure that 1) the ESM projects receive timely and\nsufficient funding or revise the projects\xe2\x80\x99 tasks, 2) the ESM projects are governed by the\nInfrastructure Executive Steering Committee, 3) software tools are acquired to track licenses of\nsoftware used agencywide on servers to track and better evaluate software usage and related\ncosts, and 4) all tools meeting ESM software tool criteria are approved by the ESM organization\nthrough the IRS Web Request Tracking System.\n\nResponse\nIRS management agreed with all of our recommendations. Corrective actions taken or planned\ninclude 1) modifying ESM project tasks to align with the available funds, 2) placing the ESM\nprojects under the governance of the Infrastructure Executive Steering Committee, 3) acquiring\nand implementing the IBM Tivoli License Compliance Manager product to track and manage all\nsoftware licenses used agency-wide on servers, and 4) taking the necessary actions to place the\nESM organization in the IRS Web Request Tracking System approval path. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix VI.\n\nOffice of Audit Comment\nIn the IRS response to the draft report, management provided a comment acknowledging\nramp-up funds were expended on the ESM project from September 4, 2007, through\nOctober 31, 2007. However, upon further review, the IRS estimate for this cost is approximately\none third of the amount stated in the report.\nThe audit report was prepared based on the information the IRS provided to us during the audit.\nThe audit results were provided to IRS management on several occasions and we made revisions\nto the report based on the IRS comments. After we revised the report to incorporate the IRS\ncomments, we obtained executive agreement to the report at our closing conference.\n\n                                                                                                  3\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nSubsequently, the IRS advised us that it performed an additional review of the ramp-up cost and\nthe amount of a new estimate. We did not make any additional changes to the report because we\ndid not independently validate the new information submitted after the completion of the audit.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                              4\n\x0c                    The Enterprise Systems Management Program Is Making Progress\n                      to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Enterprise Systems Management Organization Has Been\n          Deployed .......................................................................................................Page 3\n          Funding for Contractor Support Was Not Always Provided in a\n          Timely Manner..............................................................................................Page 4\n                    Recommendation 1:........................................................Page 5\n\n          Project Governance Needs to Be Improved..................................................Page 5\n                    Recommendation 2:........................................................Page 7\n\n          Significant Decisions and Events Were Not Always Documented ..............Page 7\n          Controls Over Licenses for Software on Servers and Software Tool\n          Purchases Should Be Improved ....................................................................Page 9\n                    Recommendations 3 and 4: ..............................................Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................Page 17\n          Appendix V \xe2\x80\x93 Glossary of Terms .................................................................Page 18\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 20\n\x0c        The Enterprise Systems Management Program Is Making Progress\n          to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n\n                        Abbreviations\n\nCRSD              Customer Relationship and Service Delivery\nESM               Enterprise Systems Management\nIRS               Internal Revenue Service\nITSDM             Information Technology Service Delivery Management\nMITS              Modernization and Information Technology Services\n\x0c                 The Enterprise Systems Management Program Is Making Progress\n                   to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n\n                                            Background\n\nThe Internal Revenue Service (IRS) is striving to\nimprove service to taxpayers, increase the effectiveness        The overall strategic direction\n                                                              for the ESM organization is to be\nand efficiency of agency operations, and provide greater       an enterprise-level organization\nvalue to the Federal Government. To assist the IRS in            with centralized control over\naccomplishing these objectives, the Modernization and           software tools and processes.\nInformation Technology Services (MITS) organization\nhas begun an Enterprise Systems Management (ESM)\ninitiative to improve the effectiveness and efficiency of managing computer systems operations\nand the availability of business systems services on an enterprise-wide basis. This initiative will\nmake better use of taxpayer dollars by reducing the frequency and duration of computer system\noutages, improving service availability for customers, and reducing IRS costs associated with\nowning and managing software tools.\nThe overall strategic direction for the ESM organization is to be an enterprise-level organization\nwith centralized control over software tools and processes1 based upon Information Technology\nInfrastructure Library concepts.2 Specifically, the following three ESM projects were established\nto implement this strategy:\n    \xe2\x80\xa2   End-to-End Business Systems Monitoring Project \xe2\x80\x93 An initiative to address enterprise\n        monitoring from an Information Technology Service Management Service Delivery\n        perspective, addressing both qualitative and quantitative issues with business systems\n        availability and performance monitoring. The overall goal is to improve the incident\n        (e.g., system outages) management capabilities of the service and to better understand the\n        real-time health of business systems. This project was established in October 2006.\n    \xe2\x80\xa2   Tools Centralization and Consolidation Project \xe2\x80\x93 An initiative to develop a strategy and\n        plan for the centralization and consolidation of software tools used across the MITS\n        organization into a single ESM organization. This effort will also develop and maintain\n        an ESM Tool Repository. This project was established in October 2006.\n    \xe2\x80\xa2   Organization and Operations Design Project \xe2\x80\x93 An initiative to implement an\n        enterprise-focused ESM organization that leverages Information Technology\n        Infrastructure Library concepts to provide end-to-end monitoring services and enterprise\n        tools management. This project was established September 2007.\n\n\n1\n  ESM-related software tools and processes are used to provide computer systems support and services such as tool\nadministration, systems monitoring, and change control.\n2\n  See Appendix V for a glossary of terms.\n                                                                                                          Page 1\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nAnother MITS organization initiative to improve service management is the Information\nTechnology Service Management Program. The Information Technology Service Management\nExecutive Steering Committee is responsible for governing the Program and championing the\ninitiative within the MITS organization and the IRS. The Information Technology Service\nManagement Program initiative improves the way information technology organizations deliver\nand support information technology services so they are focused on the business requirements.\nThis initiative is also based on Information Technology Infrastructure Library concepts. In\nJanuary 2008, the Information Technology Service Management organization was expanded to\ninclude Customer Relationship Management. With the expansion of the organization\xe2\x80\x99s scope,\nthe name was changed to the Customer Relationship and Service Delivery (CRSD) organization\nand is led by an Associate Chief Information Officer. This organization will work with the other\nMITS organizations to implement a comprehensive and consistent approach to service delivery.\nThis review was performed at the MITS organization offices in New Carrollton, Maryland;\nMemphis, Tennessee; and Martinsburg, West Virginia, during the period September 2007\nthrough July 2008. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                         Page 2\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n\n                                   Results of Review\n\nThe Enterprise Systems Management Organization Has Been\nDeployed\nIn June 2007, the IRS began the process of making organizational changes to improve service\ndelivery effectiveness and efficiency. The redesigned ESM organization includes the Enterprise\nService Desk organization and the Systems Management, Reporting, and Tools organization,\nwhich was created by realigning the prior ESM organization groups shown in Figure 1.\n                      Figure 1: Initial ESM Redesigned Organization\n\n                                      ESM Organization\n\n                                                                             Enterprise\n                Systems Management, Reporting, and Tools\n                                                                            Service Desk\n       Production        Process       Process      Enterprise Analysis\n        Support         Support I     Support II      and Reporting\n   Source: The ESM project team.\n\nThe Enterprise Service Desk provides a central point for reporting, tracking, and resolving\ninformation technology problems across the enterprise. This review focused on the Systems\nManagement, Reporting, and Tools organization. The mission statements for the redesigned\nESM organization were rewritten after the redesign in June 2007, but the roles and\nresponsibilities of the personnel in the four subordinate groups of the Systems Management,\nReporting, and Tools organization did not change.\nThe Systems Management, Reporting, and Tools organization maintains a useful interactive web\nsite enabling personnel to access detailed information on workstations and reports of its\nmonitoring activities. The reports describe the performance \xe2\x80\x9chealth\xe2\x80\x9d of servers, desktops, and\nlaptops, as well as identify mislabeled systems.\nIRS executives and managers should continuously evaluate the effectiveness and efficiency of\ntheir organizations; plan, propose, and obtain review and approval of reorganizations as needed;\nand evaluate the effects of reorganization. The Office of Management and Budget\nCircular A-130, Management of Federal Information Resources, states that agencies should seek\nopportunities to improve the effectiveness and efficiency of Federal Government programs\nthrough work process redesign and the judicious application of information technology.\nAlthough the June 2007 reorganization is not anticipated to be the final ESM reorganization,\n\n                                                                                         Page 3\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\noverall the three ESM projects are making progress toward the goals of providing better service\nand reducing costs.\n\nFunding for Contractor Support Was Not Always Provided in a Timely\nManner\nThe IRS requested contractor support to evaluate, design, and plan an infrastructure that can\nsupport the IRS\xe2\x80\x99 business requirements for monitoring and managing business services.\nHowever, the IRS did not always provide funding in a timely manner for contractor support for\nthe ESM projects, which resulted in schedule slippage and additional costs.\nESM organization management obtained funding for contractor support from the Chief\nInformation Officer\xe2\x80\x99s project funding account. Additional funding was obtained from the End\nUser Equipment and Services organization when it authorized the realignment of $88,844 to\ncover contractor services through June 30, 2007. However, funding for contractor support lapsed\nin July 2007 and work was put on hold pending the award of the new contract.\nA new contract was awarded on August 29, 2007. However, management commented that it\ntook approximately 2 months to get the new contractors familiar with the work previously\ncompleted. We reviewed contractor invoices from September 4 through October 31, 2007, and\ndetermined that the IRS spent $491,952 just to get the new contractors familiar with what had\nbeen previously provided. The potential risk of additional\nproject delays due to funding and budget issues was reported to\nIRS executives in November 2007.                                     Funding for ESM project\n                                                                     contractor support was\nThe three ESM project teams provide weekly status reports to          provided from several\nMITS organization executives to raise issues and risks affecting     sources. However, the\nthe ESM initiative. For example,                                    delayed funding resulted\n                                                                    in schedule slippage and\n   \xe2\x80\xa2   In December 2007, the Organization and Operations              $491,952 in additional\n       Design Project began reporting that its schedule,                     costs.\n       deliverables, and/or cost might be affected by its funding\n       being scheduled to end in February 2008--prior to the\n       completion of planned activities. In February 2008, activity was underway to close down\n       contractor support due to the lack of funding.\n   \xe2\x80\xa2   In November 2007, the End-to-End Business Systems Monitoring Project began\n       reporting that its schedule, deliverables, and/or cost had been affected by insufficient\n       funding. On February 19, 2008, it was reported that the current funding would carry the\n       project only through the end of February 2008.\nAlthough the project was listed as a critical unfunded need, in January 2008, the MITS\nEnterprise Governance Committee did not approve funding for ESM project contractor support\nbecause of competing priorities and the unavailability of funds. Subsequently, the Chief\n                                                                                          Page 4\n\x0c                  The Enterprise Systems Management Program Is Making Progress\n                    to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nInformation Officer approved $875,000 for ESM contractor support through May 2008. The\nfunds identified were anticipated software contract savings to be received by the IRS. As of\nJune 26, 2008, additional funding had not been approved.\nThe Chief Information Officer is responsible for managing information resources and technology\nmanagement and the IRS long-range objectives and strategies for improving tax administration\nthrough modernizing the tax administration system. The IRS indicated that the ESM initiative\nhad problems in obtaining funding because the demand for funding is always much greater than\nthe supply, and funding requirements are based on both available resources and IRS project\nprioritization. As a result of not funding the ESM initiative in a timely manner, the IRS\nexperienced schedule slippage and $491,952 in additional costs that could have been more\nefficiently used.3\n\nRecommendation\nRecommendation 1: The Chief Information Officer should ensure that the ESM projects\nreceive timely and sufficient funding, or revise the projects\xe2\x80\x99 tasks to ensure efficient use of\ncontractor support funds and continuity of funding.\n          Management Response: IRS management agreed with this recommendation and\n          will modify ESM project tasks to align with the available funds.\n          Office of Audit Comment: In the IRS response to the draft report, management\n          provided a comment acknowledging ramp-up funds were expended on the ESM project\n          from September 4, 2007, through October 31, 2007. However, upon further review, the\n          IRS estimate for this cost is approximately one third of the amount stated in the report.\n          The audit report was prepared based on the information the IRS provided to us during the\n          audit. The audit results were provided to IRS management on several occasions and we\n          made revisions to the report based on the IRS comments. After we revised the report to\n          incorporate the IRS comments, we obtained executive agreement to the report at our\n          closing conference. Subsequently, the IRS advised us that it performed an additional\n          review of the ramp-up cost and the amount of a new estimate. We did not make any\n          additional changes to the report because we did not independently validate the new\n          information submitted after the completion of the audit.\n\nProject Governance Needs to Be Improved\nThe ESM projects did not always have adequate executive steering committee oversight to\nensure that issues and risks were resolved in a timely manner. ESM management stated that the\n\n\n3\n    Appendix IV provides a summary of the outcome measure.\n\n                                                                                              Page 5\n\x0c                 The Enterprise Systems Management Program Is Making Progress\n                   to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nESM Executive Steering Committee initially provided oversight of the three ESM projects.\nHowever, management could not provide evidence of the oversight.\nIn June 2007, the Chief Information Officer established the Information Technology Service\nManagement organization to provide oversight of the MITS organization-wide Information\nTechnology Infrastructure Library related processes (e.g., Incident Management, Problem\nManagement, and Tools Assessment). However, the organization has undergone several name\nchanges and is now referred to as the Information Technology Service Delivery\nManagement (ITSDM) organization. The ITSDM and ESM organizations provided us with\ninconsistent explanations about ESM project governance. For example:\n    \xe2\x80\xa2    ESM organization management stated that the Executive Steering Committee joined the\n         ITSDM organization in September 2007 and there was a verbal agreement with the\n         former Director, ITSDM, that the ITSDM organization would provide oversight for the\n         three ESM projects, given that the members served on each Executive Steering\n         Committee. However, the ITSDM organization was not aware of the verbal agreement\n         because the former Director retired and the agreement was not documented in meeting\n         minutes or other written communication.\n    \xe2\x80\xa2    In March 2008, the Director, ITSDM, stated that the ITSDM organization did not provide\n         oversight for the ESM projects. Instead, the Infrastructure Executive Steering Committee\n         provided the formal governance for the ESM projects. The Director explained that the\n         ESM project teams were brought in regularly at the ITSDM organization meetings for\n         status briefings solely for informational purposes. However, ESM organization\n         management stated that the Infrastructure Executive Steering Committee had not\n         provided oversight of the three ESM projects.\n         We reviewed the Infrastructure Executive Steering Committee meeting minutes from\n         March 14, 2007, through June 11, 2008. The only mention of the ESM projects was from\n         the December 3, 2007, ad-hoc meeting to prioritize the unfunded budget requests. The\n         minutes show the ESM project contractor support was ranked 13th in the Infrastructure\n         Executive Steering Committee priority ranking.\nThe Clinger-Cohen Act of 19964 states that agencies shall develop a process for analyzing,\ntracking, and evaluating the risks and results of all major capital investments made by an\nexecutive agency for information systems. The IRS implemented an Enterprise Governance\nModel for project and program oversight. Governance bodies typically respond to immediate\nneeds such as decision-making; risks; managing the project baselines; cost, schedule, and scope\n\n\n4\n (Federal Acquisition Reform Act of 1996) (Information Technology Management Reform Act of 1996),\nPub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n                                                                                                             Page 6\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nvariances; and actions essential to resolving program or project problems affecting the\nachievement of strategic goals.\nESM organization management stated that the ESM project issues and risks were not reported to\nthe Infrastructure Executive Steering Committee because they were discussed in briefings with\nthe Chief Information Officer and MITS organization executives. We were provided the\ndocumentation (dated May 2, 2007) used at the briefings. The documentation included the status\nof completed and planned work for the ESM projects. However, there were no meeting minutes\nto document the discussions. Without the proper amount of executive oversight, the IRS\nincreases the risk that the three ESM projects will incur additional costs and schedule slippage.\nManagement Action: To improve the governance process over the ESM projects, the Director,\nITSDM, was asked to lead the ESM projects beginning in December 2007. The Director\nsubsequently became the Deputy Director, CRSD. Management indicated that the Deputy\nDirector, CRSD, would continue to oversee the ESM projects to ensure that the projects proceed\nin the right direction and funding needs are reported. In June 2008, the Deputy Director, CRSD,\nwas reassigned to become the Associate Chief Information Officer, Enterprise Operations, but is\nstill responsible for overseeing the three ESM projects. In addition, a new request for\norganizational change is being submitted for approval for the ESM organization to become a part\nof the Enterprise Operations organization, with an anticipated effective date of October 1, 2008.\nThe ESM initiative is also scheduled to be presented to the Infrastructure Executive Steering\nCommittee in July 2008.\n\nRecommendation\nRecommendation 2: The Chief Information Officer should place ESM projects under the\ngovernance of the Infrastructure Executive Steering Committee to ensure that risks and issues are\nresolved in a timely manner.\n       Management Response: IRS management agreed with this recommendation. The\n       ESM projects are under the governance of the Infrastructure Executive Steering\n       Committee to ensure risks and issues are resolved in a timely manner.\n\nSignificant Decisions and Events Were Not Always Documented\nSignificant decisions and events were not documented and included in monthly project status\nreports, which resulted in increased risks of miscommunication, responsible parties not being\nheld accountable, and actions not being implemented in a timely manner. For example, the\nEnd-to-End Business Systems Monitoring Project team did not have any written documentation\nshowing the four specific applications they recommended for future work or to support who\napproved the applications and when they were approved because the decisions were verbal.\n\n\n                                                                                          Page 7\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nThe Tools Centralization and Consolidation Project also lacked documentation. The tool subsets\nselection process and changes to the selection process were not documented. The Tools\nCentralization and Consolidation Project team had begun the process to prioritize the tools for\ncentralization, but this process was replaced by discussions with the ITSDM Executive Steering\nCommittee. The selections were based on software tools that were needed or would soon be\nneeded by other MITS organization projects, which are in accordance with the Tools Project\nstrategy of centralizing tools based on business priorities. However, none of the activities or\ndecisions leading to the final selection were documented. The undocumented discussions and\ndecisions included:\n   \xe2\x80\xa2   The Tools Centralization and Consolidation Project\xe2\x80\x99s discussions with the ITSDM\n       organization.\n   \xe2\x80\xa2   The justification for selecting the tool subsets.\n   \xe2\x80\xa2   The tool subsets recommended by the Tools Centralization and Consolidation Project and\n       presented to the Chief Information Officer and Associate Chief Information Officers.\n   \xe2\x80\xa2   The tool subsets selected and approved by the Chief Information Officer and Associate\n       Chief Information Officers.\nThe ESM organization and the ITSDM organization also had conflicting accounts about how the\ntool recommendations were presented and how the selections were made.\nThe Government Accountability Office Standards for Internal Control in the Federal\nGovernment states that the entire process or life cycle of an event from the initiation and\nauthorization should be promptly recorded to maintain its relevance and value to management in\ncontrolling operations and making decisions. Insufficient or lack of documentation of key\ndecisions increases the risk for miscommunication and the risks that responsible parties are not\nheld accountable, and that actions are not implemented in a timely manner. Also, when new\nmanagement and staff are assigned to the ESM projects, they will not have access to\ndocumentation of key events and decisions that will help them understand the history and\nchanges in the projects. Without complete and accurate project management documentation, the\nIRS increases the risk that the three ESM projects will incur additional costs and schedule\nslippage.\nManagement Action: The ESM project team agreed with our observations and is now\ndocumenting communications and meetings. We verified that meetings are now being\ndocumented by reviewing the minutes from an ESM organization meeting held March 27, 2008.\nBased on the management action, we are not making any recommendations regarding project\ndocumentation.\n\n\n\n\n                                                                                          Page 8\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nControls Over Licenses for Software on Servers and Software Tool\nPurchases Should Be Improved\nThe Tools Centralization and Consolidation Project is collecting data on software tools within\nthe MITS organization and entering the data into a database called the Tool Repository. The\nTool Repository includes information about the tools such as name, manufacturer, tool functions,\nlicense and maintenance data and cost, users, and tool version. However, the IRS does not have\nan efficient and effective means to determine the number of licenses owned or used for the\nsoftware on its servers. As a result, approximately 47 percent of the tools in the Tool Repository\nwere missing the information.\nWe surveyed IRS organizations outside of the MITS organization that owned or operated servers\nto determine the tools used to monitor or manage its information technology systems, the process\nfor selecting and acquiring the tools, and the cost of the tools. Only three IRS organizations\noutside of the MITS organization had such tools: the Counsel Information Systems Office, the\nCriminal Investigation Division, and the Statistics of Income organization. All three\norganizations stated that they consulted with the MITS organization prior to purchasing software\ntools. The 3 organizations had 56 unique tools.\nNine of the 56 tools had names that were the same or similar to those in the Tool Repository.\nWe performed research and interviewed the Tools Centralization and Consolidation Project\nManager to determine whether the MITS organization had available licenses for the nine tools.\nBased on our analysis, we determined that:\n   \xe2\x80\xa2   One tool had available licenses and the IRS organization outside of the MITS\n       organization was using these licenses.\n   \xe2\x80\xa2   Three tools did not have any available licenses, so the IRS organization outside of the\n       MITS organization purchased its own.\n   \xe2\x80\xa2   Five tools did not have the information needed to determine the number of available\n       licenses. The IRS organizations outside of the MITS organizations stated that three of\n       the five tools were obtained through IRS enterprise license agreements. One tool was\n       purchased by the MITS organization for an organization outside of the MITS\n       organization. One tool was purchased by an organization outside of the MITS\n       organization.\nWe also analyzed the entire Tool Repository to determine the completeness of license\ninformation. As of April 15, 2008, the Tool Repository listed 240 tools. Figure 2 provides a\nsummary of tool software license information.\n\n\n\n\n                                                                                           Page 9\n\x0c               The Enterprise Systems Management Program Is Making Progress\n                 to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n              Figure 2: License Information for Tool Software on Servers\n  Licenses Owned         Licenses Used            Tool Count                          Notes\n     Unknown                Unknown                94 (39.2%)\n     Unknown                  Known                 1 (0.4%)\n                                                                      The number of licenses owned\n                                                                      for 11 of these 17 tools ranged\n                                                                      from 100 to 130,000. Because\n                                                                      the number of licenses used is\n       Known                Unknown                17 (7.1%)\n                                                                      unknown, an IRS organization\n                                                                      outside of the MITS organization\n                                                                      spent $4,815 to purchase its own\n                                                                      copy of a tool.\n                                                                      Number and percent of licenses\n                                   Subtotal       112 (46.7%)\n                                                                      with incomplete information.\n                                                                      Number and percent of licenses\n       Known                  Known               128 (53.3%)\n                                                                      with complete information.\n                                      Total            240\nSource: Treasury Inspector General for Tax Administration analysis of the Tool Repository.\n\nThe Tools Centralization and Consolidation Project Manager is attempting to determine the\nnumber of licenses owned and used for the tools that are missing information in order to update\nthe Tool Repository. However, the Project Manager has had difficulty finding the information\nbecause the designated points of contact for the tools do not always have the requested\ninformation. Additional manual research performed is inefficient and does not always identify\nthe information.\nDuring our analysis of the software licenses, we found that organizations can purchase software\ntools without the ESM organization\xe2\x80\x99s knowledge. The Tools Centralization and Consolidation\nProject Manager was aware of this and had reported it as a risk in a status report. In an effort to\nreduce the risk, the Project Manager submitted a request to include in the Internal Revenue\nManual a requirement that the ESM organization be included as an approver for all purchase\nrequests meeting the software tool criteria. The request was submitted on November 1, 2007, but\nis still under review, and must be approved by all stakeholders before the requirement is included\nin the Internal Revenue Manual.\nThe Chief Information Officer is responsible for managing agency-wide information resources\nand technology management and the IRS long-range objectives and strategies for improving tax\nadministration through modernizing the tax administration system. An organization\xe2\x80\x99s ability to\nmore effectively manage its information technology environment depends on how effectively the\n\n                                                                                                Page 10\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\ninformation technology organization uses software tools. By centralizing and consolidating\ntools, the IRS hopes to reduce costs associated with owning and managing software tools and\nidentify and develop standard tools to eliminate duplication and address any gaps in tool\nfunctionality. Ensuring that the proper number of software licenses are purchased and\ndistributed to those who need them also helps to contain costs.\nWithout the ability to track software licenses and distribution, the IRS risks paying for unneeded\nlicenses for additional licenses when unused licenses were available for distribution. For\nexample, if there were 45 unused licenses for Spotlight\xc2\xae on Active Directory, the business unit\ncould have used them and avoided spending $4,815. The number of licenses owned and/or used\nis not readily available or easily accessible because the IRS does not have a database or software\nlicense tracking tool in place to assist in identifying and tracking software used on its servers.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 3: Acquire software tools to track licenses of software used agency-wide\non servers to track and better evaluate software usage and related costs.\n       Management Response: IRS management agreed with this recommendation. The\n       IRS has acquired and will implement the IBM Tivoli License Compliance Manager\n       product to track and manage all software licenses used agency-wide on servers in order to\n       better evaluate software usage and related costs.\nRecommendation 4: Ensure that all tools meeting ESM organization software tool criteria\nand requested by all IRS organizations are submitted to the ESM organization for approval\nthrough the IRS Web Request Tracking System.\n       Management Response: IRS management agreed with this recommendation. The\n       IRS will take the necessary actions to place the ESM organization in the IRS Web\n       Request Tracking System approval path to ensure that requests meet the ESM\n       organization\xe2\x80\x99s software tool criteria.\n\n\n\n\n                                                                                          Page 11\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective was to assess the efficiency and effectiveness of the ESM organization\nimplementation and strategy. To accomplish this objective, we:\nI.     Evaluated the effectiveness and efficiency in implementing the ESM organization.\n       A. Evaluated the effectiveness and efficiency in implementing the initial ESM\n          organization.\n           1. Reviewed policies and procedures governing the establishment of the ESM\n              organization.\n           2. Determined whether key program management documents were prepared and\n              approved.\n           3. Determined whether the ESM organization obtained adequate resources and\n              funding to implement the ESM strategy.\n           4. Obtained a walkthrough of the Systems Management, Reporting, and Tools\n              organization to determine how it provided and maintained the monitoring\n              environment and tools.\n       B. Evaluated the Organization and Operations Design Project efforts to implement an\n          improved ESM organization.\n           1. Interviewed ESM organization personnel to determine the mission, scope, and\n              implementation timeline for the Organization and Operations Design Project and\n              whether a Project Office was established and the governance process for\n              overseeing the Project--for example, identify the executive steering committee\n              responsible for this project.\n           2. Determined whether key project documents were prepared and approved\n              (e.g., Project Plan, Work Breakdown Structure, management approval).\n           3. Interviewed ESM organization personnel to determine the process for and status\n              in defining ESM organization personnel roles and responsibilities, organization\n              structure, program governance, and service delivery.\n           4. Identified and obtained, if available, Phase II work products and deliverables and\n              determined whether they will be/were delivered in a timely manner (e.g., ESM\n              Services Catalog, ESM Communication Strategy and Plan, ESM Process\n              Integration Framework).\n                                                                                         Page 12\n\x0c                 The Enterprise Systems Management Program Is Making Progress\n                   to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nII.     Evaluated the Tools Management Project Office efforts to ensure effective and efficient\n        use of software tools1 through centralization and consolidation of the tools.\n        A. Evaluated the effectiveness and efficiency of program and project management\n           controls over the Tools Management Project Office.\n             1. Reviewed policies and procedures governing the purchase of monitoring tools and\n                the related licenses and maintenance contracts by the MITS organization and IRS\n                organizations outside of the MITS organization.\n             2. Determined how issues and risks were tracked, whether any issues were\n                outstanding, and whether a risk mitigation plan was developed.\n             3. Reviewed the Tools Management Project Plan and ESM Tools Centralization\n                and/or Consolidation Plan.\n        B. Evaluated the process for selecting software tools for centralization and\n           consolidation.\n             1. Interviewed ESM organization management to determine the process and criteria\n                for selecting software tools for centralization and consolidation.\n             2. Determined whether software tools were selected for centralization and/or\n                consolidation and whether the tools selected met the selection criteria.\n             3. Obtained an inventory of software tools used by IRS organizations outside of the\n                MITS organization and compared the MITS inventory of monitoring tools to the\n                IRS organizations outside of the MITS organization inventory of software tools to\n                identify duplicate tools and whether the duplicate tools had licenses and\n                maintenance contracts.\n        C. For the duplicate software tools identified in Step II.B.3., determined whether cost\n           savings could be realized if the IRS organizations outside of the MITS organization\n           obtained or used tools available through the MITS organizations.\n             1. Interviewed appropriate personnel (e.g., MITS organization and business unit\n                personnel) to determine whether the duplicate tools identified have the capability\n                to perform the same functionality required in both the MITS organization and the\n                IRS organizations outside of the MITS organization and the process and analysis\n                used in purchasing the duplicate software tools, the related licenses, and\n                maintenance contracts, and whether the MITS organization was contacted prior to\n                making these purchases.\n\n\n1\n ESM-related software tools are used to provide systems support and services such as tool administration, systems\nmonitoring, and change control.\n                                                                                                         Page 13\n\x0c             The Enterprise Systems Management Program Is Making Progress\n               to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n          2. Determined whether the MITS organization has a process in place to obtain\n             agreement with the business units that MITS organization monitoring tools satisfy\n             the business unit\xe2\x80\x99s needs.\n          3. Obtained the cost of the duplicate monitoring tools and the related licenses and/or\n             maintenance contracts in the IRS organizations outside of the MITS organization\n             and interviewed MITS organization personnel to determine whether cost savings\n             could be realized if the IRS organizations outside of the MITS organization\n             obtained or used tools available through the MITS organization.\nIII.   Evaluated the End-to-End Monitoring Project Office efforts to ensure effective and\n       efficient End-to-End monitoring throughout the IRS.\n       A. Evaluated the effectiveness and efficiency of program and project management\n          controls over the End-to-End Monitoring Project Office.\n          1. Interviewed ESM organization personnel to determine the project plan, process,\n             and status in implementing End-to-End monitoring.\n          2. Determined whether key project management documents were prepared and\n             approved (e.g., business case, Project Plan, Work Breakdown Structure, etc.).\n          3. Determined how issues and risks were tracked, whether any issues were\n             outstanding, and whether a risk mitigation plan was developed.\n       B. Determined whether the Modernized e-File End-to-End Proof of Concept was on\n          schedule and whether it demonstrated a process for effective End-to-End monitoring.\nIV.    We used the IRS Web Request Tracking System and the MITS Project Tracking System\n       to obtain contract information on the software reviewed in this audit. Because we did not\n       use the information to make projections, we did not validate the data on these systems.\n       We received the ESM Tool Repository, which was in a Microsoft Excel spreadsheet. The\n       data in the spreadsheet were entered from survey responses that were provided to the\n       ESM team in written format and/or verbally. We did not request the survey responses to\n       validate the data.\n\n\n\n\n                                                                                        Page 14\n\x0c             The Enterprise Systems Management Program Is Making Progress\n               to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nScott Macfarlane, Director\nDanny Verneuille, Audit Manager\nTina Wong, Senior Auditor\nLinda Screws, Auditor\nSuzanne Westcott, Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c         The Enterprise Systems Management Program Is Making Progress\n           to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n                                                                     Appendix III\n\n                    Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Large and Mid-Size Business Division SE:LM\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Tax Exempt and Government Entities Division SE:T\nCommissioner, Wage and Investment Division SE:W\nChief, Agency-Wide Shared Services OS:A\nChief, Criminal Investigation Division SE:CI\nChief Human Capital Officer OS:HC\nAssociate Chief Information Officer, End User Equipment and Services OS:CIO:EU\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nDirector, Office of Research, Analysis, and Statistics RAS\nDirector, Stakeholder Management OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Large and Mid-Size Business Division SE:LM\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Commissioner, Tax Exempt and Government Entities Division SE:T\n       Commissioner, Wage and Investment Division SE:W\n       Chief, Agency-Wide Shared Services OS:A\n       Chief, Criminal Investigation Division SE:CI\n       Chief Human Capital Officer OS:HC\n       Director, Program Oversight Office OS:CIO:SM:PO\n       Director, Office of Research, Analysis, and Statistics RAS\n\n\n\n\n                                                                             Page 16\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n                                                                                Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective action will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Actual; $491,952 (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nBecause funding for contractor support lapsed in July 2007 and a new contract was not awarded\nuntil August 29, 2007, new contractors were assigned to the ESM initiative. Management\ncommented that it took approximately 2 months to get the new contractors familiar with the\nwork previously completed. We reviewed contractor invoices from September 4 through\nOctober 31, 2007, and determined that the IRS spent $491,952 to get the new contractors\nfamiliar with the work previously completed on the ESM projects.\n\n\n\n\n                                                                                         Page 17\n\x0c              The Enterprise Systems Management Program Is Making Progress\n                to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n                                                                          Appendix V\n\n                                 Glossary of Terms\n\nEnd-to-End Monitoring                    Managing all information technology\n                                         component and subcomponent layers that exist\n                                         in the IRS information technology operational\n                                         environment.\nEnterprise Governance Committee          The highest-level recommendation and\n                                         decision-making body to oversee and enhance\n                                         enterprise management of information systems\n                                         and technology.\nInformation Technology Infrastructure    A series of books giving guidance--based on\nLibrary                                  best practices--on the provision of quality\n                                         information technology services and on the\n                                         accommodation and environmental facilities\n                                         needed to support information technology.\nModernized e-File                        A project to develop the modernized, web-based\n                                         platform for filing approximately 330 IRS forms\n                                         electronically.\nProject Tracking System                  A web-based budget application, which includes\n                                         contract information.\nServer                                   A computer that carries out specific functions.\n                                         For example, file servers store files, print\n                                         servers manage printers, and network servers\n                                         manage network traffic.\nSpotlight\xc2\xae on Active Directory           Software used to monitor and troubleshoot\n                                         problems on computers in Active Directory\n                                         (a technology for administering and securing\n                                         computer networks) environments.\n\n\n\n\n                                                                                  Page 18\n\x0c            The Enterprise Systems Management Program Is Making Progress\n              to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\nWeb Request Tracking System          A web-based application that allows IRS\n                                     personnel to prepare, approve, fund, and track\n                                     requests for the delivery of goods and services.\n                                     It also allows for electronic acceptance of items\n                                     delivered and provides an electronic interface\n                                     with the Automated Financial System for\n                                     payment processing.\n\n\n\n\n                                                                              Page 19\n\x0c   The Enterprise Systems Management Program Is Making Progress\n     to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n                                                    Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 20\n\x0cThe Enterprise Systems Management Program Is Making Progress\n  to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n\n                                                        Page 21\n\x0cThe Enterprise Systems Management Program Is Making Progress\n  to Improve Service Delivery and Monitoring, but Risks Remain\n\n\n\n\n                                                        Page 22\n\x0c'